---
layout: docs
page_title: Vault Enterprise FIPS Seal Wrap
description: |-
  Vault Enterprise features a mechanism to wrap values with an extra layer of
  encryption for supporting seals. This can be used for FIPS Compliance with
  a certified HSM.
---

# Seal wrap for FIPS compliance

@include 'alerts/enterprise-only.mdx'

Vault Enterprise features a mechanism to wrap values with an extra layer of
encryption for supporting [seals](/vault/docs/configuration/seal). This adds an
extra layer of protection and is useful in some compliance and regulatory
environments, including FIPS 140-2 environments.

To use this feature, you must have an active or trial license for Vault
Enterprise Plus (HSMs). To start a trial, contact [HashiCorp
sales](mailto:sales@hashicorp.com).

## Using seal wrap

See [the Enterprise documentation](/vault/docs/enterprise/sealwrap) for instructions
on how to use and enable Seal Wrap.

## FIPS 140-2 compliance

Vault's Seal Wrap feature has been evaluated by Leidos for compliance with
FIPS 140-2 requirements. When used with a FIPS 140-2-compliant HSM, Vault will
store Critical Security Parameters (CSPs) in a manner that is compliant with
KeyStorage and KeyTransit requirements. This is on by default for many parts of
Vault and opt-in for each individual mount; see the Activating Seal Wrapping
section below for details.

[View and download current Vault compliance letters](https://www.hashicorp.com/vault-compliance)

### Updates since the latest FIPS compliance audit

The following are values that take advantage of seal wrapping in the current
release of Vault that have not yet been asserted as compliant by Leidos. The
mechanism for seal wrapping is the same, they simply were not specifically
evaluated by the auditors.

- Root tokens
- Replication secondary activation tokens
- Client authentication information for the GCP Auth Backend
- Client authentication information for the Kubernetes Auth Backend

## Seal wrap and replication

Because of the level of flexibility targeted for replication, values sent over
replication connections do not currently meet KeyTransit requirements for FIPS
140-2. Vault's clustering implementation does support best practices guidance
given in FIPS 140-2, but the cryptographic implementation of TLS is not FIPS
140-2 certified. We may look into providing certified TLS in the future for
replication traffic; in the meantime, a transparent TCP proxy that supports
certified FIPS 140-2 TLS (such as
[stunnel](https://www.stunnel.org/index.html)) can be used for replication
traffic if meeting KeyTransit requirements for replication is necessary.

[configuration]: /vault/docs/configuration
